Session Management Flaw in Keycloak
CVE-2025-12390

6MEDIUM

Key Information:

Vendor: Red Hat
Status: Red Hat Build Of Keycloak
Vendor: CVE Published:; 28 October 2025

What is CVE-2025-12390?

Keycloak contains a session management issue where users sharing the same device and browser may inadvertently access each other's sessions. This occurs due to improper handling of session identifiers, leading to token reuse and potential unauthorized access. When users log out without fully clearing browser cookies, residual data can allow a subsequent user to receive tokens meant for the prior user, creating a significant security risk.

References

https://access.redhat.com/security/cve/CVE-2025-12390

vdb-entryx_refsource_REDHAT

https://bugzilla.redhat.com/show_bug.cgi?id=2406793

issue-trackingx_refsource_REDHAT

CVSS V3.1

Score:

Severity:

MEDIUM

Confidentiality:

High

Integrity:

High

Availability:

High

Attack Vector:

Local

Attack Complexity:

High

Privileges Required:

Low

User Interaction:

Required

Scope:

Unchanged

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Oct 28, 2025
Vulnerability Reserved
Oct 28, 2025

Credit

Red Hat would like to thank Simon Levermann (CTS EVENTIM Solutions GmbH) for reporting this issue.

JSON